 Think tech away, civil engagement lives here. Welcome back to the Cyber Underground. I'm Dave Stevens, your host, and today we've got a special guest with us. And we've also got Andrew, the security guy. Andrew, welcome back, buddy. I'm here. Good to be back, man. And we have with us Rachel. Rachelle. I'm Matt. Rachelle. I'm going to get this fixed. How did I do that? I got it. You just got to change your name. Man. None of us know the right names. Steve Davins. Steve Davins, host of the Underground Cybers. What's going on today? Wow. Introduce yourself. Thanks for being here, Rachelle. And tell us how you pronounce your name, and then tell us what you're all about. I'm Rachelle Monsilunga, not Rachel. Not Rachel. Not Rachel Monsilunga. Oh, is that a happen often? Yes. His daughter's name is Rachel. Yeah. So he calls me that often. Oh, so he just... He really shouldn't tell me that it's a cybersecurity show and I... Oh, that's so weird. Oh, that's so weird. It's an intelligence show. It cats out. There's a piece of data. Great. You heard it here. I don't think tech. And Andrew's social security number is... Yeah. That'll get you a lot. So you're here today to promote something. Yes. I'm here to promote Girls Go Cyberstart. Yeah. What's that all about? Girls Go Cyberstart. So it's actually last month at Governor Ige, it's a press release for this event. So it's a statewide event for high school students, young girls, from 9th to 12th grade. So it's the first time even that they have. So it's just to promote more girls to get into the cybersecurity field because we're pretty unrepresented as far as women. Really? Because in my classes of cybersecurity, out of about 30 people, I see at least four girls. Yeah, four out of 30. Really? Dave. You gotta do some recruiting. When I was in his class, I would always be the only girl. Really? Yes. Wow. Okay. So girls in the class, but she was the lone wolf throughout the whole. That's how Chris team, my wife did her in SIS about, I don't know, 10 years ago. She was the only woman in our classes. It's, you know, my wife's in technology. She manages a business analysis group. And she's pretty much alone. There's only two or three of them in the entire place she works. So thank you for starting them early. Because we've got to get the young kids, all the young kids, the young women, especially everybody, we've got to get them incorporated into this world. So what are we going to do at this event? So this event, I actually did this in the summer. Oh. This is the collegiate level though. So this one is for high school. So they pretty much do like kind of like a, it's like a free web based. Capture the flag. Oh yeah, right on. Like the NCL. Competition. Yeah, competition. So there's like Linux and kind of. Now these are the competitions where you have a number of puzzles to solve. Correct. When you go and solve a puzzle, you get a string, a little string of letters or numbers and you get to paste that into the puzzle solution and then you've captured that flag. Oh, gotcha. That's a CTF, a capture the flag. Okay. And then they get progressively harder as you go along, right? So only the masters get to the really tough ones. And it's a fun competition. We did one just recently. And they're tough. We're shut. Did you compete as well? Yes. And how'd you do? I was your team. I had to do it because I took a class. It was a class that was Swahoo. Our team didn't play. The other team was second. Our class was divided in half. But it's okay. I did it for the experience. Sure. I think I did better this year compared to, like I think two years ago when I did it. I just like doing the challenges. So will you coach a team for this one? Or what's hats involvement with this? So hats involvement with this one is just promoting the event. Okay. Can you tell us a little bit about hats first? Yeah, let's talk about hats. Because people might not know what hats is. This is your promo. Yeah. So hats is actually Hawaii Advanced Technology Society. I just recently became the president. I was the founder of hats CC, which... Capulani chapter of hats. Yes. Right? So there's several campuses where you have a chapter. Yes. But you're on the main campus now, UH West of Wahoo. Correct. Right? So I oversee all the other CC schools. Oh. Yeah. So LCC, HCC is all under us. I under one umbrella. And West of Wahoo is the mothership, they call it. And you were the overseer. Correct. Right? The overseer. We have a t-shirt that says... The overseer. The hats overseer. Because those guys need to be rained in. Right. Those guys need to be rained in. You know, they're causing so much trouble out there. Now, but hats has been really active with a lot of different types of activities. Yeah. You've been doing a lot of stuff. I see them in everything. They're pretty forward about getting involved with things that the state's doing on a lot of different levels. So is that extra tasking for you guys? It's extra, yes. Is it something you would normally do anyway as part of your curriculum or just extracurricular? Extracurricular. Yeah. So it's like we do like CTF training. I know they've done the Hawaii coding challenge, the CCDC, NCL. And they all have placements. So CCDC is a collegiate cyber defense competition that's twice a year where most teams just play defensive. Yeah. You get a network and you pretend to basically be the help desk and the IT infrastructure team. And people call you up on the phone. They're called Injects. And they give you assignments. Hey, our website's down. Help me recover my password. Yeah. Why doesn't this work? And you've got to determine which one's real, which one's a social engineering attack. And at the same time, people are physically trying to do network attacks against your infrastructure. And the first team we had, can I tell a story? Yeah. The first team we had, she wasn't on the team. I wasn't on the team. This is great. We were all in the same room. I'm the coach, so I can't go in. I just coach them and I have to stand by them and watch them. Like with text? Or you're on a keyboard to coach? Or you just like screaming through the window? No. I can't do anything on the competition day. I just have to sit there and watch the judge. Oh, okay. Got you. Got you. And it was about lunchtime, so I thought I'd bring in pizzas. And the judge said, wait, I have an idea. So he types up an email, anti-so-and-so, brought in pizza. Come on and get your pizza. The whole team stood up and walked out of the room. Your team? The whole team. Stuff unattended. One of them even logged out. The red team, Sneak, walked in the door while they were eating pizza. I had to watch him do it. He compromised every single machine. By the time they walked in, there were notes being typed saying you're compromised. The mouse was moving automatically. Everything, it's done. I said, come on out, have some more pizza. And that's such a standard lesson because we teach everyone at work. But when you get up from your desk, you log out before you walk away. And you should never leave the PC unattended, ever. Right, right. So at least one person has stayed behind in all the competitions. It was a hard lesson to learn. And a lot of laughs afterwards. The judges were just teary-eyed. But that's part of us. That's part of the experience. It's typically something simple anyway. We talk often about how that social aspect is the door opener. We always do this competition. We have not placed yet. But when a little community college always does, then they have a hats team. They're spectacular. And they always place first or second or third. Jason and his crew. Yeah, right. And them on here too. NCL, National Cyber League. You guys also do that. And that's more of an individualized competition. Could you describe NCL for us a little bit? NCL is also a more capture of the flag. There's open source. Other puzzles are there. So it's mainly puzzles. You've got to go solve the puzzles, decrypt something, reverse hash something, capture a flag, break into a website, decode something, interpret code. There's a JavaScript question or two in there. And it's more individualized though. You go for points. Are tools limited? Or are you allowed to go get whatever you can get? No, you isn't. Okay, so you're allowed to go get tools to do things with? Sometimes, but not everything. Or are you in a bubble? Yeah, and sometimes you're in a bubble. And other times you can use what's on your system, but they'll tell you when you're in. The good thing about that is there's a gym that you can practice before the actual competition starts and that's throughout the whole competition. So that one kind of teaches you what kind of tools you can kind of like get hints. This is great stuff for cyber students. When they take a 16-week class, that is such a small segment of education. You can't get any concepts down in general. I mean, there's a huge amount of data out there. So this competition actually lets you touch on all these things and every time you see how something is compromised, eventually you're going to be that person securing that system in a company and now you know what the threat is. So you can secure that. You see it done before. You see it done before. Lights that little light that goes, hmm, this isn't good. That's right. We're under attack. I've seen this before. Now, we also do stuff with the pen testing. Penetration testing. And we're in one now. Yeah. This is our third pen testing project. Nice. So penetration testing. Tell the audience a little bit about penetration testing. Penetration testing. So we go to local companies and we test the viability of their network to see if they're vulnerable for exploits. And then after we give them a report and we tell them this is what you need to fix and this is what we found. So we do a lot of open source intelligence on them as well. Very good. A lot of reconnaissance. So when you go out and recon the web and the deep web for information, this is just out there that they can't hide. And then we use that for things like phishing and spear phishing campaigns, which are hilariously fun. Sometimes they work, sometimes they don't. But we've pulled jokes with the can drive. The food can drive. We also did what we asked them to put their all their chairs up on top of the table. Floors are being cleaned. So at the end of the day, people were putting stuff on their desk. The can food drive, people would take the cans and put them outside the boss's door. Eventually there's a couple hundred cans outside the door and you turn to figure out why are people stacking cans? Sure. The photo contest was the best. Yeah, the selfie. So we wanted people to do selfies inside the work, their favorite place at work. So they take a selfie and the background would give us a floor plan. Gathering a bunch of data. It's an information gathering. Just do that together. And the other stuff is just business disruption. And we stop short of things like activating the fire alarm and then going in and stealing. You do non-destructive stuff. Non-destructive stuff. There was an idea. Once we wanted to send them out an e-mail saying we're doing a fire drill and then we're going to go and steal the chairs. Until we realized, it's like 700 chairs. I don't think we could pull this one off. That's not a good sneak. Yeah, you need like a bar. A big truck for that. Right, right. And a lot of people. So tell me what will be the focus with the Haskellers because this will be fairly new to some of them, especially with a little bit of structure. I'm sure they do a lot of unstructured things on there with their own tools or their own toys or their own apps. Is this a classroom activity or do you do this after school? No, so they can do this like after school. It's a six-day event and then 24 hours. So they can go on whenever so they can go do their homework. So they can remote in. Yes. Oh, that's great. All they need is a computer and a good connection. Okay, cool. How many Haskellers are we talking about? Is this statewide? Statewide, yes. Because I know that they're not promoting Kauai too. Wow. Oh, that's good. Our neighbor islands get left out quite a bit. And so will you do coaching sessions ahead of time? How will they engage? Give us a little feel for the... I know that there's instructors like for my alma mater which is Sacred Hearts Academy so they have a teacher there that trains all of them. But you don't really need any experience because... Learn as you go. Yeah. That's awesome. I like that. So failure is sometimes the best teacher. Sure. Well, that's how you learn. Everything you've ever learned you did it wrong five times when you figured out the right way. Well, I know you and I did. That's the story of my life. Well, that's the only way I learned. I break everything I touch and then I figure out how to fix it. And then you learn a lot that way. I find women don't do that as much. Well, they're smarter. They ask someone... No, that'll break it. Like me, I just break it. I don't ask anybody. Right. That's what my wife will ask for instructions and they'll tell you how to do it. Yeah. Are they Google it or are they like, oh, there's actually information about it first. You don't actually have to make it up. No, we're just like, oh, it broke. We'll turn it in. So it's interesting that we had that idea about men and how, you know, they won't ask for directions. So in your experience, like in classroom activities and in work, the women that you see coming in the program, what do you think they're like level of effectiveness is compared to some of the males that you've seen? How do you feel they're better? They worse? They more distracted? Less distracted? What do you think? Is there a gender question there? I don't know. For me personally, I speak up. Good. If I have a question I'm not sure I ask. Yeah, good. And I know there's other women in the classroom that they're afraid to. So later on I ask them, is that a dumb question? They're like, no, I wanted to know that too. Well, you told me about an experience in one of your classes just recently where the teacher asked you, what do you all want to do? Right. And everybody said pen testing, except for you. And then when the teacher said what experience have you had, you're the only one that moves you. Yeah. Right? Yeah. Because you've actually done this kind of stuff. You've actually put yourself out there. Correct. Because I've done a lot of internships, so I was kind of thinking to myself, oh my God, because everyone in the back was like, shh. They were mad. Like, I wasn't trying to show off. Right. You just said it. Right. No, experience is so important. I mean, that's why you start high schoolers off. I mean, the shortage is known and we're going to have five billion short IT people. Right? So we need everybody in the game. We need to start them in probably diapers. I don't know, five-year-olds, they're going to be six-year-olds are getting into small businesses. Well, are we going to be tracking them? Are they going to have what's going on with them? I always wanted to pay my daughter's dentist to put it in their dental work, so they'd never know. Ooh. They could track them everywhere. But then they came out with a tracking your iPhone thing, so that's been enough. Yeah, in our next 15, we'll talk about that tracking problem. Yeah, that's, oh, so one last thing now, this Girls Go Cyberstart, how do you sign up? Where do you go? So you can sign up at www.girlsgocyberstart.com. Uh-huh. And it's until February 16 to register. And the event, again, is February 22 to 26. It's 24-7. And it is just girls. Yeah. Is it actually only open to female? Okay, cool. I'm glad discrimination is starting to work the other way now. Free of charge? Free, yeah. Free of charge. Awesome. There's no discrimination there, you guys. I just hope these young high school girls go play, go learn this stuff. There's so much opportunity out there for you. They're pulling in. You said you've done some internships. I mean, there is paid work. Anybody that can handle a keyboard can handle it. I mean, there's work for you out there already. If you want to make a little money in the summer or something, you know. Yeah, definitely. Dave needs all the help he can do. I need all the help I can get. Okay, we're going to take a little break. All right. And we're going to pay some bills. We'll be right back until then. Stay safe. Aloha. I'm Winston Welch. And every other Monday at 3 p.m., you can join me at Out and About, a show where we explore a variety of topics, organizations, so please join us every other Monday at 3. And we'll see you then. Aloha. Hello, everyone. I'm DeSoto Brown, the co-host of Human Humane Architecture, which is seen on Think Tech, Hawaii every other Tuesday at 4 p.m. And with the show's host, Martin Desbang, we discuss architecture here in the Hawaiian Islands and how it not only affects the way we live, but other aspects of our life, not only here in Hawaii, but internationally as well. So join us for Human Humane Architecture every other Tuesday at 4 p.m. on Think Tech, Hawaii. Welcome back at Cyber Underground. Here's our second half. We just had Richelle Monsolaga. Richelle. And I'm Steve Davins. Steve Davins. Okay. One of those days, it's a Friday. It's a... Thank God. It's a Friday. Let's talk about some of the things that are in the news. You should blow this episode up with some name, right? Anyway... I forgot his name before. How can he host a radio show? He doesn't even know he buys a name for it. Radio would be better. I have a face for radio. Is this a radio show or TV? We are on screen, man. But I get lost. I don't know. All right. Let's talk about the fitness apps that are inadvertently telling everybody how about Secret U.S. military business raises Strava as a website where data gets uploaded from things like Fitbits. Yeah. GP at Garmin and Garmin is probably the more powerful tool that most athletes are using. Now, every time they do this upload, they ping a satellite, basically, or some other web-based device that takes all this information to a database and gives them a geo-coordnance. Longitude, latitude, minutes, seconds. Yeah. It shows your entire route. It will show you the pace over certain parts of the route, all that. They have it for swimming, cycling, rowing, this and that. You use this just about anything you can do. Sure. So performance and measuring is a piece of that. Typically, back when I had a coach, which was a waste of money when you were slow as me, but, you know, I had a coach. And, you know, so he's going to give you some performance measures that you need to meet. And when you're out there doing it and it's sometimes hours long, you really can't just gauge it yourself unless you're like you need some sort of data to take speed up or, you know, or slow down or whatever it may be, right? So you're supposed to be training in a window, usually a cardiovascular window or something like that. There's something that depending on what type of training you're doing. So these these devices are gathering all of that data, all right, while you're training. And then when you upload it, you know, I don't recall that I could choose what parts of one file and all the data goes. Right. So if you had a heart rate monitor on, that goes with it. If you had something that was measuring barometric pressure, for example, that would go with it. So any device that you had on some of these devices are tracking 10 or 15 things, it's crazy. But, you know, surely all the GPS data, now, again, sometimes you get in the trees in the forest, it'll drop out and it'll, so if you run through the woods, you'll all of a sudden there'll be a straight line. It's like, really, I jump that value like superman. You were here, now you're here. Yeah, it's amazing. I wish I could do that. Save me a half hour on my run. But, you know, so that file goes up and interestingly, so they tell you that, you know, you sort of sign off that you're going to send all that data up. So it turns the conditions inside, you have to click yes before they'll let you find out. And you upload it each time, you know, so you could even upload every run or whatever, you probably record all of this kind of stuff. Amateur athletes, because, you know, the pros have someone that tells them all they need to know. Well, the pros, the data is really, that's like professional level data-minded and they use that for a professional edge in competition. Yes, exactly. And so the amateurs all want to emulate that. That's why they sell us all these devices, right? That we wear. We never, those are pros or monsters. It's a whole other animal. But anyway, so the amateurs get all this data. So Strava was probably collecting this data. I don't recall it, but it's been eight years ago and it was somewhat new, you know. Well, they started in 2007. By 2008, they were publishing this data. That would make sense. So 11 years ago. Okay. The whole time you've been doing this. Yeah. And everyone, millions of people. Somewhere along the line, there were some, the problems with our military, they're getting a little bit too much weight. You think? Yeah, well, you were in the Navy. What's that mean? What is it about E7, the chief? Wow, yeah. Yeah. Well, because they're, you know, you had to do 150 push-ups. After you make chief, you only got to do 12. Well, there you go. I'm just joking, chief. Just joking. Just joking out. They're the sacrificial lamp today. Love the military. So the military said, for those guys, you got to wear these devices that help you get into shape. And they thought they were doing a good thing. But then those guys signed up for this data share where they uploaded it. And they thought they were safe because it anonymizes the data. Yeah. But. Well, the heat map was anonymized. Now, that file I sent is surely from me. But that heat map that Strava published with everyone's data, that's anonymized. Right. Yeah. Right. So the individualized stuff, that's yours. But when they anonymize, that's everybody. The entire database. And that's where we get a little bit dicey. So let's look at some photos. Let's take a picture of one of those. Here's a place that you might not recognize if you look at it. But if this was overlaid with a map that we panned out a little bit, you'd notice that this is the Helmand province. This is a U.S. Army base. It's really not supposed to be on Google Maps anywhere. And you can not only see where people are walking and running, but you see the shape of the entire base and all the roads around it. Yeah, surely the outlines. This could be compromising data. Well, and I'm going to guess the white is hottest so you can see the routes that get run the most. So the places where it's dim might be a good entry point. People don't run by there or walk by there a whole lot. So this could actually be used to compromise a U.S. military base. Yeah, it's funny how they're running around the whole, that's the air, that's the runway there, so they're running around the airstrip, it looks like. You know, a lot of these guys have to run really far, right? I'm not going to tell you how you got that. So this was a piece of the heat map. So they released the heat map of all these data, all these 11 years of data from everyone, they put it out in one big database with the heat map of the world. So everywhere that everyone's been exercising all this time created a heat map. Places you'd never considered. Let's look at the next photo here. Yeah, I think that's what they didn't think about. This is a Falkland Islands. Yeah. Well, there's some water all around. That's the island. Wow. You can look at the Falkland Islands and see where the U.S. military personnel are. And that's, this is not good that U.S. military has let this data be published. So they're going to have to make an adjustment. Yeah, I don't think they let it. I think this was published from a source outside the United States, right? Isn't Strava owned from a European company? It is a Northern European. I want to say Norway, but I'm not going to lock it down. I don't think that this was meant malicious. I think it was done sort of, I don't even want to say negligently. I think that they just didn't consider some of the data that could be there. Yeah. And this is a great story behind this. In Canberra province. Yeah. Found this. Found this in Australia. Probably a cyclist because they have a ton of them there. I don't know. He just told his dad, hey, look what I see. And this is from all the fitness apps. And his dad actually joked, this is what you're seeing is where all the rich white people exercise. So I hate to admit it, but this is probably, you know, the wealthier white people probably pioneered the trend because we just buy this. Because they could afford those apps. Or those devices. So this is great. Do you know where this is? Can you guess? I mean, I don't even think we... There's a river. This is North Korea. Oh, wow. This is the capital river. Not too many ad. Not too many fit. It's not very hot. They got one little kind of white router. A lot of people run along the river. You can see that. The thing I'm afraid of is that the white line kind of tapers off and disappears over to the left. So I think maybe that's where they run away and they just go out and back. Oh, they go, I'm back. Yeah. And then they'll see the little circle at the top right there on the river. So it looks like they either start there or end there or something. And you can tell they have a lot of people that don't run quite so far about how hot that little trapezoidal shape is there. And the darkest area is where Kim Jong-un is. You don't think he's running much? Do they have bikes? I don't know. I didn't know they had fitness. Do they have fitness? They must. I mean, we're looking at a view of it. Oh, did he this might have been his Olympic team training. Right. That is great. He sent some athletes over. So the last one, the last photo we got to look at is a little frightening. Let's look at the last one. Langley, Virginia. The good thing is our agents are training. They're working out. That's right. Those guys are all over that map. And that looks like about 5K, maybe maybe more around that facility. That's pretty big. That's a darn good run. A couple laps in that it's going to keep you super fit. Unfortunately, I mean, there's no secrets here, right? Now you're, even if you blur this out on Google Earth, now you know where people are. And the problem is there's photos that I'm not showing. There's a base in Syria that was supposed to be completely secret. Yeah. And that's why I wish that they had got some advice before they released and kind of blurred that out or blanked that data out for some of these more serious reasons that you're talking about. Yeah. Someone was watching. Yeah. And I don't think they intended to give away this intelligence. I agree with you. Completely unintentional. The great thing is young pioneers like Rochelle are now seeing this kind of stuff. And when you get into the workforce and you're a professional and you will be a leader someday, I'm sorry, it happens to all of us. You get to be a leader and you say to people, don't do that. Mass release of data can maybe have unintended consequences, right? Yeah, right. So we've seen this. Well, I think a good hearted release on their part to maybe just show the hottest cities are the most heavily trained or well, it's an interesting heat map. But the data contained, you know, could be used by others for other purposes. So good advice when you get into a company and you're dealing with a massive amount of data, banks, healthcare, military, have data owners for the data segments and have them be responsible for their data. Don't just have someone to request, hey, can I have access to the data warehouse? Sure, here you go. That data warehouse contains a lot of data. And you might only need a little piece of it. So have a data owner that's responsible for that piece of data. Now you worked for the state. That was your internship. I worked for Todd and Vince. Oh, right on. Todd Nakapoi. And Vince Hong. Yeah, yeah. So he's the state CIO. Correct. And Vince is... CISO. Yeah, CISO. CISO. CISO. CISO, first one. I don't think we ever had one before. I don't think so. He's the first one. Yeah. And you got to do it for what, eight months? Vince was the summer and then Todd was the fall. Almost all voluntary, right? Correct, yeah. So she did her internship servitude and then... Oh, what did they teach you? Mommy, what did you work on? Can you tell us? No. Cool. You saw some cool stuff. It was a state of Hawaii heat map for the Fitbit. For the summer, that was a tip program. So I was in a group of... I was with two other guys. So we did security awareness for data breaches. Oh, okay. Great. Yeah. What else? Oh, we also did how to educate the company on kind of like the... We did like a capture the flag kind of thing. Oh, wow. Education is a big one in companies. Yeah. You've got to keep doing that. People forget you have to turn over. Yeah. Okay, we've got to wrap it up. Let's advertise the program. Yeah, one more time. Yeah, let's do it one more time. So if anybody wants to join, it's www.gocybersart... Go girl... Oh my God. Sorry? Girlsgocybersart.com. You probably Google that, right? Yeah, for high school. This is for high school. What's the age group? Age limit? Or 9 to 12 grade. 9 to 12 grade. So girls sign up, get some experience. Pack in the world. So this is where the State and Sands Institute. All right. All right. Thanks for being with us. Yeah, thanks for helping. Thank you for having me. And we'll see you next week. We'll do another interesting topic. I will. Okay. Aloha. Aloha. Wonder Twin powers activate. Wow. All right. Thanks for joining us. Until next week, stay safe.